Auth: Login incorrect: [maxx09/<no User-Password attribute>]

Sam T givemesam at gmail.com
Mon Mar 23 01:10:41 CET 2020 

Thank you for that. Your right. I did not compile this freeradius server,
so im working with something that has been modded heavily. But i did get in
there, and add eap to authorize. that got it going. i loaded in eap.conf
with the right mods too (changed md5 to tls).
After reviewing the debug output, i think the router was sending the
password inside "EAP-Message" or somehow mschapv2 is coming in as
EAP-message? OR mikrotik is trying to pull a client cert from radius. im
not sure....

this is after putting eap in authorize, and modding the eap.conf to point
to the certs and md5>tls

my desired goal is to get user/pass to work through EAP, with no client
certs. im not sure it is possible, but each reply i get from you, and then
research more, gets me a few steps closer. i also wrote mikrotik to see if
their setup is passing the password through EAP message, or their ignoring
it, and the EAP-radius is designed for cert only, no passwords. but maybe
you can tell when looking at the cert error below.

Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

   1. Executing group from file /etc/freeradius/sites-enabled/server01.rad
   +- entering group authenticate {...}

   [eap] Request found, released from the list
   [eap] EAP/tls
   [eap] processing type tls
   [tls] Authenticate
   [tls] processing EAP-TLS
   TLS Length 141
   [tls] Length Included
   [tls] eaptls_verify returned 11
   [tls] <<< TLS 1.0 Handshake [length 0007], Certificate
   [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
   TLS Alert write:fatal:handshake failure
   TLS_accept: error in SSLv3 read client certificate B
   rlm_eap: SSL error error:140890C7:SSL
   routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
   SSL: SSL_read failed in a system call (-1), TLS session fails.
   TLS receive handshake failed during operation
   [tls] eaptls_process returned 4
   [eap] Handler failed in EAP/tls
   [eap] Failed in EAP select
   ++[eap] returns invalid
   Failed to authenticate the user.
   Login incorrect (TLS Alert write:fatal:handshake failure): [maxx09/<via
   Auth-Type = EAP>] (from client wificpa port 0 cli 44.55.66.77)


On Sun, Mar 22, 2020 at 12:55 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 22, 2020, at 1:07 PM, Sam T <givemesam at gmail.com> wrote:
> >
> > What you are trying to do: Get radius to work with mikrotik ikev2
> > authorization / client has self signed CA cert, Server has signed server
> +
> > CA cert
> >
> >   - why you are trying to do it: to add ikev2 radius auth while also
> >   supporting wifi authorization (which is working great)
> >   - what you expect the server to do: to accept user pass from mikrotik,
> >   and provide authorization reply w/ radreply attributes
> >   - what the server does instead (i.e. debug output). see output
> >
> > (my previous submission ran freeradius -X on top of a running server,
> this
> > time i followed the instructions, here is 1 clean process of the ikev2
> > request)
> >
> > rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66,
> > length=143
> > User-Name = "maxx09"
> > Called-Station-Id = "444.555.666.777"
> > Calling-Station-Id = "222.333.444.555"
> > NAS-Port-Id = "\000\000\000\r"
> > NAS-Port-Type = Virtual
> > Service-Type = Framed-User
> > Event-Timestamp = "Mar 22 2020 16:54:39 UTC"
> > Framed-MTU = 1400
> > EAP-Message = 0x0200000b016d6178783039
>
>   It's EAP, which means that there is likely no User-Password *ever* in
> the request.
>
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!!    Replacing User-Password in config items with Cleartext-Password.
> > !!!
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!! Please update your configuration so that the "known good"
> > !!!
> > !!! clear text password is in Cleartext-Password, and not in
> User-Password.
> > !!!
>
>   Please follow that advice.  The "known good" password should be in
> Cleartext-Password.  Putting it into User-Password has been deprecated for
> 15+ years.
>
> > Cannot perform authentication.
> > Failed to authenticate the user.
>
>   Because the user is doing EAP, and you deleted the "eap" module from the
> "authorize" section.
>
>   The default configuration works.  Start with that, and make small
> changes, in order to get what you want.
>
>   If you delete massive amounts of things from the default configuration,
> you are very likely to break something.  As has been done here.
>
>   The EAP module does EAP authentication.  You MUST configure the EAP
> module in order for this to work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list